summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--accounts/gkleen@sif/ssh-hosts.nix4
-rw-r--r--flake.lock42
-rw-r--r--flake.nix7
-rw-r--r--hosts/surtr/email/ca/.gitignore4
-rw-r--r--hosts/surtr/email/ca/index.txt1
-rw-r--r--hosts/surtr/email/ca/serial2
-rw-r--r--hosts/surtr/matrix/default.nix10
-rw-r--r--overlays/lego.nix10
-rw-r--r--overlays/postfix-mta-sts-resolver.nix2
-rw-r--r--overlays/prometheus-node-exporter.nix15
-rw-r--r--overlays/spm/default.nix6
11 files changed, 43 insertions, 60 deletions
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
index 0265190b..24d1f18c 100644
--- a/accounts/gkleen@sif/ssh-hosts.nix
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -378,6 +378,10 @@
378 { hostname = "mail-mi01.mathinst.loc"; 378 { hostname = "mail-mi01.mathinst.loc";
379 proxyJump = "mathw0h"; 379 proxyJump = "mathw0h";
380 }; 380 };
381 "mail-www02" =
382 { hostname = "mail-www02.mathinst.loc";
383 proxyJump = "mathw0h";
384 };
381 "dpl-fai01" = 385 "dpl-fai01" =
382 { hostname = "dpl-fai01.mathinst.loc"; 386 { hostname = "dpl-fai01.mathinst.loc";
383 user = "root"; 387 user = "root";
diff --git a/flake.lock b/flake.lock
index 0443ac7c..7a0dd9c1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -11,11 +11,11 @@
11 "utils": "utils" 11 "utils": "utils"
12 }, 12 },
13 "locked": { 13 "locked": {
14 "lastModified": 1653594315, 14 "lastModified": 1659725433,
15 "narHash": "sha256-kJ0ENmnQJ4qL2FeYKZba9kvv1KmIuB3NVpBwMeI7AJQ=", 15 "narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=",
16 "owner": "serokell", 16 "owner": "serokell",
17 "repo": "deploy-rs", 17 "repo": "deploy-rs",
18 "rev": "184349d8149436748986d1bdba087e4149e9c160", 18 "rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb",
19 "type": "github" 19 "type": "github"
20 }, 20 },
21 "original": { 21 "original": {
@@ -80,11 +80,11 @@
80 "utils": "utils_2" 80 "utils": "utils_2"
81 }, 81 },
82 "locked": { 82 "locked": {
83 "lastModified": 1658924727, 83 "lastModified": 1662759269,
84 "narHash": "sha256-Fhh9FK9CvuCLxG1WkWJPoendDeXKI4gHYTfezo1n2Zg=", 84 "narHash": "sha256-lt8bAfEZudCQb+MxoNKmenhMTXhu3RCCyLYxU9t5FFk=",
85 "owner": "nix-community", 85 "owner": "nix-community",
86 "repo": "home-manager", 86 "repo": "home-manager",
87 "rev": "0e2f7876d2f2ae98a67d89a8bef8c49332aae5af", 87 "rev": "9f7fe353b613d0e45d7a5cdbd1f13c96c15803dd",
88 "type": "github" 88 "type": "github"
89 }, 89 },
90 "original": { 90 "original": {
@@ -105,11 +105,11 @@
105 ] 105 ]
106 }, 106 },
107 "locked": { 107 "locked": {
108 "lastModified": 1657089034, 108 "lastModified": 1662635943,
109 "narHash": "sha256-qSjk1iOi14ijAOP6QuGfE3fvy08aVxsgus+ArwgiyuU=", 109 "narHash": "sha256-1OBBlBzZ894or8eHZjyADOMnGH89pPUKYGVVS5rwW/0=",
110 "owner": "DavHau", 110 "owner": "DavHau",
111 "repo": "mach-nix", 111 "repo": "mach-nix",
112 "rev": "51caf584f26acdfaa51bbf7ee1ffa365aea7bc64", 112 "rev": "65266b5cc867fec2cb6a25409dd7cd12251f6107",
113 "type": "github" 113 "type": "github"
114 }, 114 },
115 "original": { 115 "original": {
@@ -121,11 +121,11 @@
121 }, 121 },
122 "nixpkgs": { 122 "nixpkgs": {
123 "locked": { 123 "locked": {
124 "lastModified": 1659009481, 124 "lastModified": 1663071011,
125 "narHash": "sha256-BRM5R7AMKa58NAJnZsmWsVhDxuGllnhTvpVEZ+sP49I=", 125 "narHash": "sha256-HjPb5iEwKwyNpnkn4Wo2hptAU5TAmfXd30mxemXPBtg=",
126 "owner": "NixOS", 126 "owner": "NixOS",
127 "repo": "nixpkgs", 127 "repo": "nixpkgs",
128 "rev": "2d9b7cb5f0a41da95fccc120acf730fd20d8598d", 128 "rev": "0caf7675ec9b90ab9ad309d7a993a13798eeaa26",
129 "type": "github" 129 "type": "github"
130 }, 130 },
131 "original": { 131 "original": {
@@ -137,11 +137,11 @@
137 }, 137 },
138 "nixpkgs-22_05": { 138 "nixpkgs-22_05": {
139 "locked": { 139 "locked": {
140 "lastModified": 1658634393, 140 "lastModified": 1662864125,
141 "narHash": "sha256-VW7edeFzA9VU8gZPxPFGpoPsM2AQLYHKhA9H5+OYtno=", 141 "narHash": "sha256-AtjyEFK7Zp9+hOOUNO1/YZRADV/wC94R3yeKN8saUK4=",
142 "owner": "NixOS", 142 "owner": "NixOS",
143 "repo": "nixpkgs", 143 "repo": "nixpkgs",
144 "rev": "2e14bc76ab41c60ba57fd57ff52badaa29d349f5", 144 "rev": "e6f053b6079c16e7df97531e3e0524ace1304d4d",
145 "type": "github" 145 "type": "github"
146 }, 146 },
147 "original": { 147 "original": {
@@ -179,11 +179,11 @@
179 "pypi-deps-db": { 179 "pypi-deps-db": {
180 "flake": false, 180 "flake": false,
181 "locked": { 181 "locked": {
182 "lastModified": 1658996715, 182 "lastModified": 1663059297,
183 "narHash": "sha256-U5WLiaMoEMvbkGHSHmNVRNzpXPJ0S87ZsB4iwZtp6eI=", 183 "narHash": "sha256-JaD4mhUOLJRNaepE50fOUfaSYRNwMhobyj8HGIxosiQ=",
184 "owner": "DavHau", 184 "owner": "DavHau",
185 "repo": "pypi-deps-db", 185 "repo": "pypi-deps-db",
186 "rev": "3c9aa49a06c1c80791ea412e04fbd9d71e463f9c", 186 "rev": "8aa6ec60bf7ed12c1e1705a2f28be63d8eee4386",
187 "type": "github" 187 "type": "github"
188 }, 188 },
189 "original": { 189 "original": {
@@ -212,11 +212,11 @@
212 "nixpkgs-22_05": "nixpkgs-22_05" 212 "nixpkgs-22_05": "nixpkgs-22_05"
213 }, 213 },
214 "locked": { 214 "locked": {
215 "lastModified": 1658635258, 215 "lastModified": 1662870301,
216 "narHash": "sha256-EC8y3Rg+l9IzIUdOaFSA0LMdDipTRoweg1Y2EL8XhMc=", 216 "narHash": "sha256-O+ABD+WzEBLVH6FwxKCIpps0hsR6b5dpYe6fB3e3Ju8=",
217 "owner": "Mic92", 217 "owner": "Mic92",
218 "repo": "sops-nix", 218 "repo": "sops-nix",
219 "rev": "d7f8cf1b77ebe5f287884f17b1ee4cc4f48bad1d", 219 "rev": "20929e1c5722a6db2f2dbe4cd36d4af0de0a9df0",
220 "type": "github" 220 "type": "github"
221 }, 221 },
222 "original": { 222 "original": {
diff --git a/flake.nix b/flake.nix
index e7557b2d..defcd864 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,7 +14,6 @@
14 repo = "home-manager"; 14 repo = "home-manager";
15 ref = "master"; 15 ref = "master";
16 inputs = { 16 inputs = {
17 flake-compat.follows = "flake-compat";
18 nixpkgs.follows = "nixpkgs"; 17 nixpkgs.follows = "nixpkgs";
19 }; 18 };
20 }; 19 };
@@ -78,11 +77,11 @@
78 inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr; 77 inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr;
79 inherit (lib.strings) escapeNixString; 78 inherit (lib.strings) escapeNixString;
80 79
81 accountUserName = accountName: 80 accountUserName = accountName:
82 let 81 let
83 accountName' = splitString "@" accountName; 82 accountName' = splitString "@" accountName;
84 in elemAt accountName' 0; 83 in elemAt accountName' 0;
85 accountHostName = accountName: 84 accountHostName = accountName:
86 let 85 let
87 accountName' = splitString "@" accountName; 86 accountName' = splitString "@" accountName;
88 in elemAt accountName' 1; 87 in elemAt accountName' 1;
@@ -132,7 +131,7 @@
132 (outputs: { _file = dir + "/${path}"; } 131 (outputs: { _file = dir + "/${path}"; }
133 // outputs 132 // outputs
134 // { imports = defaultUserProfiles userName ++ (outputs.imports or []); }); 133 // { imports = defaultUserProfiles userName ++ (outputs.imports or []); });
135 134
136 mkUserProfile = userName: dir: path: profileName: 135 mkUserProfile = userName: dir: path: profileName:
137 let 136 let
138 profileModule = overrideModule (import (dir + "/${path}")) 137 profileModule = overrideModule (import (dir + "/${path}"))
diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore
index adafac92..af29cdfa 100644
--- a/hosts/surtr/email/ca/.gitignore
+++ b/hosts/surtr/email/ca/.gitignore
@@ -3,4 +3,6 @@
3*.old 3*.old
4*.crt 4*.crt
5*.pkcs12 5*.pkcs12
6certs \ No newline at end of file 6*.p12
7certs
8index.txt.bak \ No newline at end of file
diff --git a/hosts/surtr/email/ca/index.txt b/hosts/surtr/email/ca/index.txt
index 40c9605a..cbaf96b2 100644
--- a/hosts/surtr/email/ca/index.txt
+++ b/hosts/surtr/email/ca/index.txt
@@ -1,2 +1,3 @@
1V 320513204402Z 03 unknown /CN=gkleen 1V 320513204402Z 03 unknown /CN=gkleen
2V 320515063648Z 04 unknown /CN=nmuehlbauer 2V 320515063648Z 04 unknown /CN=nmuehlbauer
3V 320910104724Z 05 unknown /CN=mwgnr
diff --git a/hosts/surtr/email/ca/serial b/hosts/surtr/email/ca/serial
index eeee65ec..cd672a53 100644
--- a/hosts/surtr/email/ca/serial
+++ b/hosts/surtr/email/ca/serial
@@ -1 +1 @@
05 06
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index e3a52f9a..46c2f338 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -111,7 +111,7 @@ with lib;
111 ProtectClock = true; 111 ProtectClock = true;
112 ProtectHostname = true; 112 ProtectHostname = true;
113 113
114 ProtectHome = "tmpfs"; 114 ProtectHome = true;
115 ProtectKernelLogs = true; 115 ProtectKernelLogs = true;
116 116
117 ProtectProc = "invisible"; 117 ProtectProc = "invisible";
@@ -123,7 +123,7 @@ with lib;
123 123
124 SystemCallArchitectures = "native"; 124 SystemCallArchitectures = "native";
125 SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; 125 SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
126 126
127 RestrictSUIDSGID = true; 127 RestrictSUIDSGID = true;
128 RemoveIPC = true; 128 RemoveIPC = true;
129 NoNewPrivileges = true; 129 NoNewPrivileges = true;
@@ -174,7 +174,7 @@ with lib;
174 ${corsHeaders} 174 ${corsHeaders}
175 ''; 175 '';
176 return = "200 '${builtins.toJSON { 176 return = "200 '${builtins.toJSON {
177 "m.server" = "synapse.li:443"; 177 "m.server" = "synapse.li:443";
178 }}'"; 178 }}'";
179 }; 179 };
180 "= /.well-known/matrix/client" = { 180 "= /.well-known/matrix/client" = {
@@ -198,7 +198,7 @@ with lib;
198 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; 198 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
199 extraConfig = '' 199 extraConfig = ''
200 add_header Strict-Transport-Security "max-age=63072000" always; 200 add_header Strict-Transport-Security "max-age=63072000" always;
201 201
202 add_header X-Frame-Options SAMEORIGIN; 202 add_header X-Frame-Options SAMEORIGIN;
203 add_header X-Content-Type-Options nosniff; 203 add_header X-Content-Type-Options nosniff;
204 add_header X-XSS-Protection "1; mode=block"; 204 add_header X-XSS-Protection "1; mode=block";
@@ -240,7 +240,7 @@ with lib;
240 "synapse.li".certCfg = { 240 "synapse.li".certCfg = {
241 postRun = '' 241 postRun = ''
242 ${pkgs.systemd}/bin/systemctl try-restart nginx.service 242 ${pkgs.systemd}/bin/systemctl try-restart nginx.service
243 ''; 243 '';
244 }; 244 };
245 }; 245 };
246 246
diff --git a/overlays/lego.nix b/overlays/lego.nix
deleted file mode 100644
index 363b32da..00000000
--- a/overlays/lego.nix
+++ /dev/null
@@ -1,10 +0,0 @@
1{ prev, ... }: {
2 lego = prev.lego.override {
3 buildGoModule = args: prev.buildGoModule (args // {
4 patches = (args.patches or []) ++ prev.lib.lists.singleton (prev.fetchpatch {
5 url = "https://patch-diff.githubusercontent.com/raw/go-acme/lego/pull/1501.patch";
6 hash = "sha256-hLuWX607T8tcqljpBzEADViZd2FABkCgjNCLXMyWpuA=";
7 });
8 });
9 };
10}
diff --git a/overlays/postfix-mta-sts-resolver.nix b/overlays/postfix-mta-sts-resolver.nix
index 1d8f0188..a06dace5 100644
--- a/overlays/postfix-mta-sts-resolver.nix
+++ b/overlays/postfix-mta-sts-resolver.nix
@@ -22,5 +22,7 @@
22 }); 22 });
23 }) 23 })
24 ]; 24 ];
25
26 _.pyparsing.buildInputs.add = with final.python310Packages; [ flit-core ];
25 }; 27 };
26} 28}
diff --git a/overlays/prometheus-node-exporter.nix b/overlays/prometheus-node-exporter.nix
deleted file mode 100644
index de5b15f2..00000000
--- a/overlays/prometheus-node-exporter.nix
+++ /dev/null
@@ -1,15 +0,0 @@
1{ prev, ... }: {
2 prometheus-systemd-exporter = prev.prometheus-systemd-exporter.overrideAttrs (oldAttrs: {
3 patches = oldAttrs.patches or [] ++ [
4 (prev.runCommand "cpu-unified.diff" {
5 src = prev.fetchurl {
6 url = "https://github.com/pelov/systemd_exporter/commit/2880a8dd1ca4909e51a569093284fad47343016a.diff";
7 hash = "sha256-i6sptiCdXmOqK5kfjLbIupctM34RqDahAE/39+35dRI=";
8 };
9 buildInputs = with prev; [ patchutils ];
10 } ''
11 filterdiff -x '**/CHANGELOG.md' $src > $out
12 '')
13 ];
14 });
15}
diff --git a/overlays/spm/default.nix b/overlays/spm/default.nix
index 5c820d9c..05a8f013 100644
--- a/overlays/spm/default.nix
+++ b/overlays/spm/default.nix
@@ -4,9 +4,9 @@ let
4 # defaultPackages = (import ./stackage.nix {}); 4 # defaultPackages = (import ./stackage.nix {});
5 # haskellPackages = defaultPackages // argumentPackages; 5 # haskellPackages = defaultPackages // argumentPackages;
6 # haskellPackages = argumentPackages; 6 # haskellPackages = argumentPackages;
7 haskellPackages = final.haskell.packages.ghc923.override { 7 haskellPackages = final.haskell.packages.ghc924.override {
8 overrides = self: super: { 8 overrides = self: super: {
9 warp-systemd = final.haskell.lib.doJailbreak (super.warp-systemd.overrideAttrs (oldAttrs: { meta = oldAttrs.meta // { broken = false; }; })); 9 warp-systemd = final.haskell.lib.doJailbreak (super.warp-systemd.overrideAttrs (oldAttrs: { meta = oldAttrs.meta // { broken = false; }; }));
10 servant-server = super.servant-server.overrideAttrs (oldAttrs: { 10 servant-server = super.servant-server.overrideAttrs (oldAttrs: {
11 patches = []; 11 patches = [];
12 }); 12 });
@@ -34,7 +34,7 @@ let
34 in path: _type: builtins.match "^frontend(/.*)?$" (relPath path) == null; 34 in path: _type: builtins.match "^frontend(/.*)?$" (relPath path) == null;
35 src = ./.; 35 src = ./.;
36 }; 36 };
37 37
38 postPatch = '' 38 postPatch = ''
39 ${oldAttrs.postPatch or ""} 39 ${oldAttrs.postPatch or ""}
40 40